@axonflow/openclaw 0.1.0

package/CHANGELOG.md

@@ -0,0 +1,19 @@
+# Changelog
+
+## [0.1.0] - 2026-04-01
+
+### Added
+
+- `before_tool_call` hook: evaluates tool arguments against AxonFlow policies before execution. Blocks dangerous commands, detects PII in tool input, enforces rate limits.
+- `after_tool_call` hook: logs every tool execution to AxonFlow's audit trail for compliance evidence.
+- `message_sending` hook: scans outbound messages to user channels (Telegram, Discord, Slack, WhatsApp) for PII and secrets. Can cancel or redact before delivery.
+- `llm_input` hook: records prompt, model, and provider at the start of each LLM call to AxonFlow's audit trail.
+- `llm_output` hook: records LLM response, token usage, and latency. Correlates with `llm_input` for complete LLM call audit entries.
+- High-risk tool approval: configurable tool list triggers OpenClaw's native approval flow even when AxonFlow allows the call.
+- Configurable governance scope: govern all tools, specific tools only, or exclude specific tools.
+- Fail-open/fail-closed: `onError` config controls behavior when AxonFlow is unreachable.
+- Starter policy documentation with SQL setup for OpenClaw production baseline.
+
+### Not Yet Supported
+
+- Tool result transcript scanning: OpenClaw's `tool_result_persist` hook is sync-only, preventing async HTTP calls to AxonFlow. Upstream issue filed (openclaw/openclaw#58558). Outbound messages ARE scanned via `message_sending`.

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 AxonFlow
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,141 @@
+# @axonflow/openclaw
+
+**Policy enforcement, approval gates, and audit trails for [OpenClaw](https://github.com/openclaw/openclaw).**
+
+OpenClaw handles agent runtime, tool execution, MCP connectivity, and channel delivery. AxonFlow adds a governance layer for production use: inspect tool inputs before execution, scan outbound messages before delivery, and record tool + LLM activity for review, security, and compliance.
+
+This plugin is useful when you want to:
+- block dangerous tool calls before they run
+- require approval for selected high-risk tools
+- prevent PII or secrets from being sent to users
+- keep an audit trail of agent activity with policy context
+
+Much of the OpenClaw ecosystem today focuses on routing, memory, integrations, and observability. This plugin focuses on governance: policy enforcement, approval gates, and reviewable audit trails.
+
+## What v0.1.0 Covers
+
+| Hook | Purpose |
+|------|---------|
+| `before_tool_call` | Evaluate tool inputs against AxonFlow policies before execution |
+| `after_tool_call` | Record tool execution in AxonFlow audit trail |
+| `message_sending` | Scan outbound messages for PII/secrets before delivery |
+| `llm_input` | Record prompt, model, and provider for audit |
+| `llm_output` | Record response summary, token usage, and latency for audit |
+
+## Current Limitation
+
+Tool results written into the OpenClaw session transcript are not yet scanned by this plugin. OpenClaw's `tool_result_persist` hook is synchronous today, so it cannot call AxonFlow's HTTP policy APIs.
+
+What is protected today:
+- tool inputs before execution
+- outbound messages before delivery
+- tool and LLM audit trails
+
+What is not protected yet:
+- tool results entering the LLM context through the session transcript
+
+If OpenClaw adds async support for `tool_result_persist`, AxonFlow can add transcript/result scanning immediately. Upstream issue: [openclaw/openclaw#58558](https://github.com/openclaw/openclaw/issues/58558).
+
+## Install
+
+```bash
+openclaw plugins install @axonflow/openclaw
+```
+
+## Configure
+
+In your OpenClaw config:
+
+```yaml
+plugins:
+  @axonflow/openclaw:
+    endpoint: http://localhost:8080
+    clientId: your-client-id
+    clientSecret: your-secret
+    highRiskTools:
+      - web_fetch
+      - message
+```
+
+### Configuration Options
+
+| Option | Required | Default | Description |
+|--------|----------|---------|-------------|
+| `endpoint` | Yes | — | AxonFlow agent gateway URL |
+| `clientId` | Yes | — | AxonFlow client ID |
+| `clientSecret` | Yes | — | AxonFlow client secret |
+| `highRiskTools` | No | `[]` | Tools that require human approval even when policy allows |
+| `governedTools` | No | `[]` (all) | Tools to govern. Empty = all tools. |
+| `excludedTools` | No | `[]` | Tools to exclude from governance |
+| `defaultOperation` | No | `"execute"` | Operation type for mcp_check_input (`"execute"` or `"query"`) |
+| `onError` | No | `"block"` | Behavior when AxonFlow is unreachable: `"block"` (fail-closed) or `"allow"` (fail-open) |
+
+## How It Works
+
+```
+User sends message → OpenClaw receives
+    │
+    ▼
+┌─────────────────────────────────────────────┐
+│ llm_input (audit)                           │
+│ → Record prompt, model, provider            │
+└─────────────────────────────────────────────┘
+    │
+    ▼
+LLM generates response (may include tool calls)
+    │
+    ▼
+┌─────────────────────────────────────────────┐
+│ llm_output (audit)                          │
+│ → Record response, tokens, latency          │
+└─────────────────────────────────────────────┘
+    │
+    ▼  (if tool calls in response)
+┌─────────────────────────────────────────────┐
+│ before_tool_call (governance)               │
+│ → mcp_check_input(openclaw.{tool}, args)    │
+│ → BLOCK / REQUIRE APPROVAL / ALLOW          │
+└─────────────────────────────────────────────┘
+    │
+    ▼
+Tool executes (web_fetch, message, MCP, etc.)
+    │
+    ▼
+Tool result persisted to session transcript
+(not scanned — pending async hook support)
+    │
+    ▼
+┌─────────────────────────────────────────────┐
+│ after_tool_call (audit)                     │
+│ → audit_tool_call(tool, params, result)     │
+└─────────────────────────────────────────────┘
+    │
+    ▼
+┌─────────────────────────────────────────────┐
+│ message_sending (governance)                │
+│ → mcp_check_output(openclaw.message_sending) │
+│ → CANCEL / REDACT / ALLOW                   │
+└─────────────────────────────────────────────┘
+    │
+    ▼
+Message delivered to user channel
+```
+
+## Prerequisites
+
+- [AxonFlow](https://github.com/getaxonflow/axonflow) running (Docker or production)
+- OpenClaw 1.0+
+
+## Starter Policies
+
+See [policies/README.md](./policies/README.md) for recommended policy setup for OpenClaw deployments, including protections against reverse shells, credential exfiltration, SSRF, path traversal, and agent config file poisoning.
+
+## Links
+
+- [AxonFlow Documentation](https://docs.getaxonflow.com)
+- [OpenClaw Integration Guide](https://docs.getaxonflow.com/docs/integration/openclaw/)
+- [Policy Enforcement](https://docs.getaxonflow.com/docs/mcp/policy-enforcement/)
+
+## License
+
+MIT

package/dist/audit.d.ts

@@ -0,0 +1,23 @@
+/**
+ * after_tool_call hook — audit logging.
+ *
+ * Records every tool execution to AxonFlow's audit trail.
+ * Fire-and-forget: audit failures do not block tool execution.
+ */
+import type { AxonFlowClient } from "./axonflow-client.js";
+import type { AxonFlowPluginConfig } from "./config.js";
+/**
+ * Create the after_tool_call hook handler.
+ *
+ * Logs tool execution details to AxonFlow for compliance audit.
+ */
+export declare function createAfterToolCallHandler(client: AxonFlowClient, config: AxonFlowPluginConfig): (event: {
+    toolName: string;
+    params: Record<string, unknown>;
+    runId?: string;
+    toolCallId?: string;
+    result?: unknown;
+    error?: string;
+    durationMs?: number;
+}) => Promise<void>;
+//# sourceMappingURL=audit.d.ts.map

package/dist/audit.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"audit.d.ts","sourceRoot":"","sources":["../src/audit.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AAC3D,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,aAAa,CAAC;AAGxD;;;;GAIG;AACH,wBAAgB,0BAA0B,CACxC,MAAM,EAAE,cAAc,EACtB,MAAM,EAAE,oBAAoB,IAEd,OAAO;IACnB,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAChC,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB,KAAG,OAAO,CAAC,IAAI,CAAC,CAiBlB"}

package/dist/audit.js

@@ -0,0 +1,26 @@
+/**
+ * after_tool_call hook — audit logging.
+ *
+ * Records every tool execution to AxonFlow's audit trail.
+ * Fire-and-forget: audit failures do not block tool execution.
+ */
+import { shouldGovernTool } from "./config.js";
+/**
+ * Create the after_tool_call hook handler.
+ *
+ * Logs tool execution details to AxonFlow for compliance audit.
+ */
+export function createAfterToolCallHandler(client, config) {
+    return async (event) => {
+        if (!shouldGovernTool(event.toolName, config)) {
+            return;
+        }
+        try {
+            await client.auditToolCall(event.toolName, event.params, event.result, event.error, event.durationMs);
+        }
+        catch {
+            // Fire-and-forget: audit failures must not interfere with tool pipeline
+        }
+    };
+}
+//# sourceMappingURL=audit.js.map

package/dist/audit.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"audit.js","sourceRoot":"","sources":["../src/audit.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH,OAAO,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAE/C;;;;GAIG;AACH,MAAM,UAAU,0BAA0B,CACxC,MAAsB,EACtB,MAA4B;IAE5B,OAAO,KAAK,EAAE,KAQb,EAAiB,EAAE;QAClB,IAAI,CAAC,gBAAgB,CAAC,KAAK,CAAC,QAAQ,EAAE,MAAM,CAAC,EAAE,CAAC;YAC9C,OAAO;QACT,CAAC;QAED,IAAI,CAAC;YACH,MAAM,MAAM,CAAC,aAAa,CACxB,KAAK,CAAC,QAAQ,EACd,KAAK,CAAC,MAAM,EACZ,KAAK,CAAC,MAAM,EACZ,KAAK,CAAC,KAAK,EACX,KAAK,CAAC,UAAU,CACjB,CAAC;QACJ,CAAC;QAAC,MAAM,CAAC;YACP,wEAAwE;QAC1E,CAAC;IACH,CAAC,CAAC;AACJ,CAAC"}

package/dist/axonflow-client.d.ts

@@ -0,0 +1,47 @@
+/**
+ * Lightweight AxonFlow API client for the plugin.
+ *
+ * Uses direct HTTP calls to avoid requiring the full @axonflow/sdk
+ * as a runtime dependency.
+ */
+import type { AxonFlowPluginConfig } from "./config.js";
+export interface MCPCheckInputResponse {
+    allowed: boolean;
+    block_reason?: string;
+    policies_evaluated: number;
+}
+export interface MCPCheckOutputResponse {
+    allowed: boolean;
+    block_reason?: string;
+    redacted_data?: unknown;
+    policies_evaluated: number;
+}
+export declare class AxonFlowClient {
+    private readonly endpoint;
+    private readonly authHeader;
+    private readonly tenantId;
+    constructor(config: AxonFlowPluginConfig);
+    private baseHeaders;
+    mcpCheckInput(connectorType: string, statement: string, operation?: string): Promise<MCPCheckInputResponse>;
+    mcpCheckOutput(connectorType: string, message: string): Promise<MCPCheckOutputResponse>;
+    /**
+     * Log a tool execution to the audit trail.
+     * Uses POST /api/v1/audit/tool-call (requires X-Tenant-ID header).
+     */
+    auditToolCall(toolName: string, params: Record<string, unknown>, result?: unknown, error?: string, durationMs?: number): Promise<void>;
+    /**
+     * Log an LLM call to the audit trail.
+     *
+     * Uses the same audit/tool-call endpoint with tool_type "llm_call".
+     * The dedicated audit/llm-call endpoint requires context_id (from pre_check)
+     * which the plugin doesn't have. This approach logs LLM calls as tool-call
+     * audit entries, providing audit evidence without requiring prior context.
+     */
+    auditLLMCall(provider: string, model: string, query: string, responseSummary: string, tokenUsage: {
+        prompt_tokens: number;
+        completion_tokens: number;
+        total_tokens: number;
+    }, latencyMs: number): Promise<void>;
+    healthCheck(): Promise<boolean>;
+}
+//# sourceMappingURL=axonflow-client.d.ts.map

package/dist/axonflow-client.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"axonflow-client.d.ts","sourceRoot":"","sources":["../src/axonflow-client.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,aAAa,CAAC;AAExD,MAAM,WAAW,qBAAqB;IACpC,OAAO,EAAE,OAAO,CAAC;IACjB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,kBAAkB,EAAE,MAAM,CAAC;CAC5B;AAED,MAAM,WAAW,sBAAsB;IACrC,OAAO,EAAE,OAAO,CAAC;IACjB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,aAAa,CAAC,EAAE,OAAO,CAAC;IACxB,kBAAkB,EAAE,MAAM,CAAC;CAC5B;AAyBD,qBAAa,cAAc;IACzB,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAS;IAClC,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAS;IACpC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAS;gBAEtB,MAAM,EAAE,oBAAoB;IAYxC,OAAO,CAAC,WAAW;IAQb,aAAa,CACjB,aAAa,EAAE,MAAM,EACrB,SAAS,EAAE,MAAM,EACjB,SAAS,GAAE,MAAkB,GAC5B,OAAO,CAAC,qBAAqB,CAAC;IA2C3B,cAAc,CAClB,aAAa,EAAE,MAAM,EACrB,OAAO,EAAE,MAAM,GACd,OAAO,CAAC,sBAAsB,CAAC;IA2ClC;;;OAGG;IACG,aAAa,CACjB,QAAQ,EAAE,MAAM,EAChB,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC/B,MAAM,CAAC,EAAE,OAAO,EAChB,KAAK,CAAC,EAAE,MAAM,EACd,UAAU,CAAC,EAAE,MAAM,GAClB,OAAO,CAAC,IAAI,CAAC;IAqBhB;;;;;;;OAOG;IACG,YAAY,CAChB,QAAQ,EAAE,MAAM,EAChB,KAAK,EAAE,MAAM,EACb,KAAK,EAAE,MAAM,EACb,eAAe,EAAE,MAAM,EACvB,UAAU,EAAE;QAAE,aAAa,EAAE,MAAM,CAAC;QAAC,iBAAiB,EAAE,MAAM,CAAC;QAAC,YAAY,EAAE,MAAM,CAAA;KAAE,EACtF,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC,IAAI,CAAC;IAoBV,WAAW,IAAI,OAAO,CAAC,OAAO,CAAC;CAQtC"}

package/dist/axonflow-client.js

@@ -0,0 +1,180 @@
+/**
+ * Lightweight AxonFlow API client for the plugin.
+ *
+ * Uses direct HTTP calls to avoid requiring the full @axonflow/sdk
+ * as a runtime dependency.
+ */
+/**
+ * Extract policies_evaluated count from API response.
+ * The platform returns this as a top-level number on 403 responses,
+ * or inside policy_info.policies_evaluated (which can be a number or
+ * array of policy names) on 200 responses.
+ */
+function extractPoliciesEvaluated(data) {
+    if (typeof data["policies_evaluated"] === "number") {
+        return data["policies_evaluated"];
+    }
+    const policyInfo = data["policy_info"];
+    if (typeof policyInfo === "object" && policyInfo !== null) {
+        const pi = policyInfo;
+        if (typeof pi["policies_evaluated"] === "number") {
+            return pi["policies_evaluated"];
+        }
+        if (Array.isArray(pi["policies_evaluated"])) {
+            return pi["policies_evaluated"].length;
+        }
+    }
+    return 0;
+}
+export class AxonFlowClient {
+    endpoint;
+    authHeader;
+    tenantId;
+    constructor(config) {
+        this.endpoint = config.endpoint.replace(/\/+$/, "");
+        const credentials = Buffer.from(`${config.clientId}:${config.clientSecret}`).toString("base64");
+        this.authHeader = `Basic ${credentials}`;
+        // clientId serves as tenantId for single-tenant setups.
+        // The Agent proxy normally injects X-Tenant-ID after auth, but
+        // direct Orchestrator calls (audit/tool-call) require it explicitly.
+        this.tenantId = config.clientId;
+    }
+    baseHeaders() {
+        return {
+            "Content-Type": "application/json",
+            Authorization: this.authHeader,
+            "X-Tenant-ID": this.tenantId,
+        };
+    }
+    async mcpCheckInput(connectorType, statement, operation = "execute") {
+        const url = `${this.endpoint}/api/v1/mcp/check-input`;
+        const response = await fetch(url, {
+            method: "POST",
+            headers: this.baseHeaders(),
+            body: JSON.stringify({
+                connector_type: connectorType,
+                statement,
+                operation,
+            }),
+        });
+        const data = (await response.json());
+        if (response.status === 403) {
+            return {
+                allowed: false,
+                block_reason: typeof data["block_reason"] === "string"
+                    ? data["block_reason"]
+                    : typeof data["error"] === "string"
+                        ? data["error"]
+                        : "Blocked by policy",
+                policies_evaluated: extractPoliciesEvaluated(data),
+            };
+        }
+        if (!response.ok) {
+            throw new Error(`AxonFlow check-input failed: ${response.status} ${typeof data["error"] === "string" ? data["error"] : ""}`);
+        }
+        return {
+            allowed: data["allowed"] === true,
+            block_reason: typeof data["block_reason"] === "string"
+                ? data["block_reason"]
+                : undefined,
+            policies_evaluated: extractPoliciesEvaluated(data),
+        };
+    }
+    async mcpCheckOutput(connectorType, message) {
+        const url = `${this.endpoint}/api/v1/mcp/check-output`;
+        const response = await fetch(url, {
+            method: "POST",
+            headers: this.baseHeaders(),
+            body: JSON.stringify({
+                connector_type: connectorType,
+                message,
+            }),
+        });
+        const data = (await response.json());
+        if (response.status === 403) {
+            return {
+                allowed: false,
+                block_reason: typeof data["block_reason"] === "string"
+                    ? data["block_reason"]
+                    : typeof data["error"] === "string"
+                        ? data["error"]
+                        : "Blocked by policy",
+                policies_evaluated: extractPoliciesEvaluated(data),
+            };
+        }
+        if (!response.ok) {
+            throw new Error(`AxonFlow check-output failed: ${response.status} ${typeof data["error"] === "string" ? data["error"] : ""}`);
+        }
+        return {
+            allowed: data["allowed"] === true,
+            block_reason: typeof data["block_reason"] === "string"
+                ? data["block_reason"]
+                : undefined,
+            redacted_data: data["redacted_data"] ?? undefined,
+            policies_evaluated: extractPoliciesEvaluated(data),
+        };
+    }
+    /**
+     * Log a tool execution to the audit trail.
+     * Uses POST /api/v1/audit/tool-call (requires X-Tenant-ID header).
+     */
+    async auditToolCall(toolName, params, result, error, durationMs) {
+        const url = `${this.endpoint}/api/v1/audit/tool-call`;
+        try {
+            await fetch(url, {
+                method: "POST",
+                headers: this.baseHeaders(),
+                body: JSON.stringify({
+                    tool_name: toolName,
+                    tool_type: "openclaw",
+                    input: params,
+                    output: result != null ? { result: JSON.stringify(result).slice(0, 500) } : undefined,
+                    success: error == null,
+                    error_message: error,
+                    duration_ms: durationMs,
+                }),
+            });
+        }
+        catch {
+            // Audit failures are non-fatal
+        }
+    }
+    /**
+     * Log an LLM call to the audit trail.
+     *
+     * Uses the same audit/tool-call endpoint with tool_type "llm_call".
+     * The dedicated audit/llm-call endpoint requires context_id (from pre_check)
+     * which the plugin doesn't have. This approach logs LLM calls as tool-call
+     * audit entries, providing audit evidence without requiring prior context.
+     */
+    async auditLLMCall(provider, model, query, responseSummary, tokenUsage, latencyMs) {
+        const url = `${this.endpoint}/api/v1/audit/tool-call`;
+        try {
+            await fetch(url, {
+                method: "POST",
+                headers: this.baseHeaders(),
+                body: JSON.stringify({
+                    tool_name: `${provider}.${model}`,
+                    tool_type: "llm_call",
+                    input: { query: query.slice(0, 500) },
+                    output: { response_summary: responseSummary.slice(0, 200), token_usage: tokenUsage },
+                    success: true,
+                    duration_ms: latencyMs,
+                }),
+            });
+        }
+        catch {
+            // Audit failures are non-fatal
+        }
+    }
+    async healthCheck() {
+        try {
+            const response = await fetch(`${this.endpoint}/health`);
+            return response.ok;
+        }
+        catch {
+            return false;
+        }
+    }
+}
+//# sourceMappingURL=axonflow-client.js.map

package/dist/axonflow-client.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"axonflow-client.js","sourceRoot":"","sources":["../src/axonflow-client.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAiBH;;;;;GAKG;AACH,SAAS,wBAAwB,CAAC,IAA6B;IAC7D,IAAI,OAAO,IAAI,CAAC,oBAAoB,CAAC,KAAK,QAAQ,EAAE,CAAC;QACnD,OAAO,IAAI,CAAC,oBAAoB,CAAC,CAAC;IACpC,CAAC;IACD,MAAM,UAAU,GAAG,IAAI,CAAC,aAAa,CAAC,CAAC;IACvC,IAAI,OAAO,UAAU,KAAK,QAAQ,IAAI,UAAU,KAAK,IAAI,EAAE,CAAC;QAC1D,MAAM,EAAE,GAAG,UAAqC,CAAC;QACjD,IAAI,OAAO,EAAE,CAAC,oBAAoB,CAAC,KAAK,QAAQ,EAAE,CAAC;YACjD,OAAO,EAAE,CAAC,oBAAoB,CAAC,CAAC;QAClC,CAAC;QACD,IAAI,KAAK,CAAC,OAAO,CAAC,EAAE,CAAC,oBAAoB,CAAC,CAAC,EAAE,CAAC;YAC5C,OAAO,EAAE,CAAC,oBAAoB,CAAC,CAAC,MAAM,CAAC;QACzC,CAAC;IACH,CAAC;IACD,OAAO,CAAC,CAAC;AACX,CAAC;AAED,MAAM,OAAO,cAAc;IACR,QAAQ,CAAS;IACjB,UAAU,CAAS;IACnB,QAAQ,CAAS;IAElC,YAAY,MAA4B;QACtC,IAAI,CAAC,QAAQ,GAAG,MAAM,CAAC,QAAQ,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;QACpD,MAAM,WAAW,GAAG,MAAM,CAAC,IAAI,CAC7B,GAAG,MAAM,CAAC,QAAQ,IAAI,MAAM,CAAC,YAAY,EAAE,CAC5C,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;QACrB,IAAI,CAAC,UAAU,GAAG,SAAS,WAAW,EAAE,CAAC;QACzC,wDAAwD;QACxD,+DAA+D;QAC/D,qEAAqE;QACrE,IAAI,CAAC,QAAQ,GAAG,MAAM,CAAC,QAAQ,CAAC;IAClC,CAAC;IAEO,WAAW;QACjB,OAAO;YACL,cAAc,EAAE,kBAAkB;YAClC,aAAa,EAAE,IAAI,CAAC,UAAU;YAC9B,aAAa,EAAE,IAAI,CAAC,QAAQ;SAC7B,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,aAAa,CACjB,aAAqB,EACrB,SAAiB,EACjB,YAAoB,SAAS;QAE7B,MAAM,GAAG,GAAG,GAAG,IAAI,CAAC,QAAQ,yBAAyB,CAAC;QACtD,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;YAChC,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,IAAI,CAAC,WAAW,EAAE;YAC3B,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;gBACnB,cAAc,EAAE,aAAa;gBAC7B,SAAS;gBACT,SAAS;aACV,CAAC;SACH,CAAC,CAAC;QAEH,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAA4B,CAAC;QAEhE,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;YAC5B,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,YAAY,EACV,OAAO,IAAI,CAAC,cAAc,CAAC,KAAK,QAAQ;oBACtC,CAAC,CAAC,IAAI,CAAC,cAAc,CAAC;oBACtB,CAAC,CAAC,OAAO,IAAI,CAAC,OAAO,CAAC,KAAK,QAAQ;wBACjC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC;wBACf,CAAC,CAAC,mBAAmB;gBAC3B,kBAAkB,EAAE,wBAAwB,CAAC,IAAI,CAAC;aACnD,CAAC;QACJ,CAAC;QAED,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,IAAI,KAAK,CACb,gCAAgC,QAAQ,CAAC,MAAM,IAAI,OAAO,IAAI,CAAC,OAAO,CAAC,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,EAAE,EAAE,CAC5G,CAAC;QACJ,CAAC;QAED,OAAO;YACL,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,IAAI;YACjC,YAAY,EACV,OAAO,IAAI,CAAC,cAAc,CAAC,KAAK,QAAQ;gBACtC,CAAC,CAAC,IAAI,CAAC,cAAc,CAAC;gBACtB,CAAC,CAAC,SAAS;YACf,kBAAkB,EAAE,wBAAwB,CAAC,IAAI,CAAC;SACnD,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,cAAc,CAClB,aAAqB,EACrB,OAAe;QAEf,MAAM,GAAG,GAAG,GAAG,IAAI,CAAC,QAAQ,0BAA0B,CAAC;QACvD,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;YAChC,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,IAAI,CAAC,WAAW,EAAE;YAC3B,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;gBACnB,cAAc,EAAE,aAAa;gBAC7B,OAAO;aACR,CAAC;SACH,CAAC,CAAC;QAEH,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAA4B,CAAC;QAEhE,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;YAC5B,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,YAAY,EACV,OAAO,IAAI,CAAC,cAAc,CAAC,KAAK,QAAQ;oBACtC,CAAC,CAAC,IAAI,CAAC,cAAc,CAAC;oBACtB,CAAC,CAAC,OAAO,IAAI,CAAC,OAAO,CAAC,KAAK,QAAQ;wBACjC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC;wBACf,CAAC,CAAC,mBAAmB;gBAC3B,kBAAkB,EAAE,wBAAwB,CAAC,IAAI,CAAC;aACnD,CAAC;QACJ,CAAC;QAED,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,IAAI,KAAK,CACb,iCAAiC,QAAQ,CAAC,MAAM,IAAI,OAAO,IAAI,CAAC,OAAO,CAAC,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,EAAE,EAAE,CAC7G,CAAC;QACJ,CAAC;QAED,OAAO;YACL,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,IAAI;YACjC,YAAY,EACV,OAAO,IAAI,CAAC,cAAc,CAAC,KAAK,QAAQ;gBACtC,CAAC,CAAC,IAAI,CAAC,cAAc,CAAC;gBACtB,CAAC,CAAC,SAAS;YACf,aAAa,EAAE,IAAI,CAAC,eAAe,CAAC,IAAI,SAAS;YACjD,kBAAkB,EAAE,wBAAwB,CAAC,IAAI,CAAC;SACnD,CAAC;IACJ,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,aAAa,CACjB,QAAgB,EAChB,MAA+B,EAC/B,MAAgB,EAChB,KAAc,EACd,UAAmB;QAEnB,MAAM,GAAG,GAAG,GAAG,IAAI,CAAC,QAAQ,yBAAyB,CAAC;QACtD,IAAI,CAAC;YACH,MAAM,KAAK,CAAC,GAAG,EAAE;gBACf,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE,IAAI,CAAC,WAAW,EAAE;gBAC3B,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;oBACnB,SAAS,EAAE,QAAQ;oBACnB,SAAS,EAAE,UAAU;oBACrB,KAAK,EAAE,MAAM;oBACb,MAAM,EAAE,MAAM,IAAI,IAAI,CAAC,CAAC,CAAC,EAAE,MAAM,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,CAAC,CAAC,CAAC,SAAS;oBACrF,OAAO,EAAE,KAAK,IAAI,IAAI;oBACtB,aAAa,EAAE,KAAK;oBACpB,WAAW,EAAE,UAAU;iBACxB,CAAC;aACH,CAAC,CAAC;QACL,CAAC;QAAC,MAAM,CAAC;YACP,+BAA+B;QACjC,CAAC;IACH,CAAC;IAED;;;;;;;OAOG;IACH,KAAK,CAAC,YAAY,CAChB,QAAgB,EAChB,KAAa,EACb,KAAa,EACb,eAAuB,EACvB,UAAsF,EACtF,SAAiB;QAEjB,MAAM,GAAG,GAAG,GAAG,IAAI,CAAC,QAAQ,yBAAyB,CAAC;QACtD,IAAI,CAAC;YACH,MAAM,KAAK,CAAC,GAAG,EAAE;gBACf,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE,IAAI,CAAC,WAAW,EAAE;gBAC3B,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;oBACnB,SAAS,EAAE,GAAG,QAAQ,IAAI,KAAK,EAAE;oBACjC,SAAS,EAAE,UAAU;oBACrB,KAAK,EAAE,EAAE,KAAK,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE;oBACrC,MAAM,EAAE,EAAE,gBAAgB,EAAE,eAAe,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,WAAW,EAAE,UAAU,EAAE;oBACpF,OAAO,EAAE,IAAI;oBACb,WAAW,EAAE,SAAS;iBACvB,CAAC;aACH,CAAC,CAAC;QACL,CAAC;QAAC,MAAM,CAAC;YACP,+BAA+B;QACjC,CAAC;IACH,CAAC;IAED,KAAK,CAAC,WAAW;QACf,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,IAAI,CAAC,QAAQ,SAAS,CAAC,CAAC;YACxD,OAAO,QAAQ,CAAC,EAAE,CAAC;QACrB,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;CACF"}

package/dist/config.d.ts

@@ -0,0 +1,47 @@
+/**
+ * Configuration for the AxonFlow governance plugin.
+ *
+ * All configuration is read from the OpenClaw plugin config system
+ * (openclaw.plugin.json or runtime config).
+ */
+export interface AxonFlowPluginConfig {
+    /** AxonFlow agent gateway endpoint (e.g., "http://localhost:8080"). */
+    endpoint: string;
+    /** AxonFlow client ID for authentication. */
+    clientId: string;
+    /** AxonFlow client secret for authentication. */
+    clientSecret: string;
+    /**
+     * Tools that require human approval even when AxonFlow allows them.
+     * Uses OpenClaw's native approval flow (Telegram/Discord/approve command).
+     */
+    highRiskTools?: string[];
+    /**
+     * Tools to govern. If empty, ALL tools are governed.
+     * Use this to selectively enable governance on specific tools.
+     */
+    governedTools?: string[];
+    /**
+     * Tools to exclude from governance. Takes precedence over governedTools.
+     */
+    excludedTools?: string[];
+    /**
+     * Operation type sent to mcp_check_input.
+     * Defaults to "execute". Set to "query" for read-only tool setups.
+     */
+    defaultOperation?: string;
+    /**
+     * Behavior when AxonFlow is unreachable (network error, timeout).
+     * - "block" (default): treat errors as policy blocks (fail-closed)
+     * - "allow": allow tool execution to proceed (fail-open)
+     *
+     * Fail-open prevents AxonFlow outages from breaking all tool execution.
+     * Fail-closed is safer but can cascade AxonFlow failures to the agent.
+     */
+    onError?: "block" | "allow";
+}
+/** Validate plugin config and return defaults. */
+export declare function resolveConfig(raw: Record<string, unknown> | undefined): AxonFlowPluginConfig;
+/** Check if a tool should be governed based on config. */
+export declare function shouldGovernTool(toolName: string, config: AxonFlowPluginConfig): boolean;
+//# sourceMappingURL=config.d.ts.map

package/dist/config.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../src/config.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,MAAM,WAAW,oBAAoB;IACnC,uEAAuE;IACvE,QAAQ,EAAE,MAAM,CAAC;IAEjB,6CAA6C;IAC7C,QAAQ,EAAE,MAAM,CAAC;IAEjB,iDAAiD;IACjD,YAAY,EAAE,MAAM,CAAC;IAErB;;;OAGG;IACH,aAAa,CAAC,EAAE,MAAM,EAAE,CAAC;IAEzB;;;OAGG;IACH,aAAa,CAAC,EAAE,MAAM,EAAE,CAAC;IAEzB;;OAEG;IACH,aAAa,CAAC,EAAE,MAAM,EAAE,CAAC;IAEzB;;;OAGG;IACH,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAE1B;;;;;;;OAOG;IACH,OAAO,CAAC,EAAE,OAAO,GAAG,OAAO,CAAC;CAC7B;AAED,kDAAkD;AAClD,wBAAgB,aAAa,CAC3B,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,SAAS,GACvC,oBAAoB,CA0CtB;AAED,0DAA0D;AAC1D,wBAAgB,gBAAgB,CAC9B,QAAQ,EAAE,MAAM,EAChB,MAAM,EAAE,oBAAoB,GAC3B,OAAO,CAWT"}

package/dist/config.js

@@ -0,0 +1,56 @@
+/**
+ * Configuration for the AxonFlow governance plugin.
+ *
+ * All configuration is read from the OpenClaw plugin config system
+ * (openclaw.plugin.json or runtime config).
+ */
+/** Validate plugin config and return defaults. */
+export function resolveConfig(raw) {
+    if (!raw) {
+        throw new Error("AxonFlow plugin requires configuration. Set endpoint, clientId, and clientSecret in your OpenClaw plugin config.");
+    }
+    const endpoint = raw["endpoint"];
+    if (typeof endpoint !== "string" || !endpoint) {
+        throw new Error("AxonFlow plugin: 'endpoint' is required (e.g., 'http://localhost:8080')");
+    }
+    const clientId = raw["clientId"];
+    if (typeof clientId !== "string" || !clientId) {
+        throw new Error("AxonFlow plugin: 'clientId' is required");
+    }
+    const clientSecret = raw["clientSecret"];
+    if (typeof clientSecret !== "string" || !clientSecret) {
+        throw new Error("AxonFlow plugin: 'clientSecret' is required");
+    }
+    return {
+        endpoint,
+        clientId,
+        clientSecret,
+        highRiskTools: Array.isArray(raw["highRiskTools"])
+            ? raw["highRiskTools"]
+            : [],
+        governedTools: Array.isArray(raw["governedTools"])
+            ? raw["governedTools"]
+            : [],
+        excludedTools: Array.isArray(raw["excludedTools"])
+            ? raw["excludedTools"]
+            : [],
+        defaultOperation: typeof raw["defaultOperation"] === "string"
+            ? raw["defaultOperation"]
+            : "execute",
+        onError: raw["onError"] === "allow" ? "allow" : "block",
+    };
+}
+/** Check if a tool should be governed based on config. */
+export function shouldGovernTool(toolName, config) {
+    // Excluded tools take precedence
+    if (config.excludedTools && config.excludedTools.includes(toolName)) {
+        return false;
+    }
+    // If governedTools is specified, only those are governed
+    if (config.governedTools && config.governedTools.length > 0) {
+        return config.governedTools.includes(toolName);
+    }
+    // Default: govern all tools
+    return true;
+}
+//# sourceMappingURL=config.js.map

package/dist/config.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.js","sourceRoot":"","sources":["../src/config.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AA8CH,kDAAkD;AAClD,MAAM,UAAU,aAAa,CAC3B,GAAwC;IAExC,IAAI,CAAC,GAAG,EAAE,CAAC;QACT,MAAM,IAAI,KAAK,CACb,kHAAkH,CACnH,CAAC;IACJ,CAAC;IAED,MAAM,QAAQ,GAAG,GAAG,CAAC,UAAU,CAAC,CAAC;IACjC,IAAI,OAAO,QAAQ,KAAK,QAAQ,IAAI,CAAC,QAAQ,EAAE,CAAC;QAC9C,MAAM,IAAI,KAAK,CAAC,yEAAyE,CAAC,CAAC;IAC7F,CAAC;IAED,MAAM,QAAQ,GAAG,GAAG,CAAC,UAAU,CAAC,CAAC;IACjC,IAAI,OAAO,QAAQ,KAAK,QAAQ,IAAI,CAAC,QAAQ,EAAE,CAAC;QAC9C,MAAM,IAAI,KAAK,CAAC,yCAAyC,CAAC,CAAC;IAC7D,CAAC;IAED,MAAM,YAAY,GAAG,GAAG,CAAC,cAAc,CAAC,CAAC;IACzC,IAAI,OAAO,YAAY,KAAK,QAAQ,IAAI,CAAC,YAAY,EAAE,CAAC;QACtD,MAAM,IAAI,KAAK,CAAC,6CAA6C,CAAC,CAAC;IACjE,CAAC;IAED,OAAO;QACL,QAAQ;QACR,QAAQ;QACR,YAAY;QACZ,aAAa,EAAE,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;YAChD,CAAC,CAAE,GAAG,CAAC,eAAe,CAAc;YACpC,CAAC,CAAC,EAAE;QACN,aAAa,EAAE,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;YAChD,CAAC,CAAE,GAAG,CAAC,eAAe,CAAc;YACpC,CAAC,CAAC,EAAE;QACN,aAAa,EAAE,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;YAChD,CAAC,CAAE,GAAG,CAAC,eAAe,CAAc;YACpC,CAAC,CAAC,EAAE;QACN,gBAAgB,EACd,OAAO,GAAG,CAAC,kBAAkB,CAAC,KAAK,QAAQ;YACzC,CAAC,CAAC,GAAG,CAAC,kBAAkB,CAAC;YACzB,CAAC,CAAC,SAAS;QACf,OAAO,EACL,GAAG,CAAC,SAAS,CAAC,KAAK,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,OAAO;KACjD,CAAC;AACJ,CAAC;AAED,0DAA0D;AAC1D,MAAM,UAAU,gBAAgB,CAC9B,QAAgB,EAChB,MAA4B;IAE5B,iCAAiC;IACjC,IAAI,MAAM,CAAC,aAAa,IAAI,MAAM,CAAC,aAAa,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;QACpE,OAAO,KAAK,CAAC;IACf,CAAC;IACD,yDAAyD;IACzD,IAAI,MAAM,CAAC,aAAa,IAAI,MAAM,CAAC,aAAa,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC5D,OAAO,MAAM,CAAC,aAAa,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;IACjD,CAAC;IACD,4BAA4B;IAC5B,OAAO,IAAI,CAAC;AACd,CAAC"}

package/dist/governance.d.ts

@@ -0,0 +1,40 @@
+/**
+ * before_tool_call hook — input governance.
+ *
+ * Evaluates tool arguments against AxonFlow policies before execution.
+ * Can block the call, require human approval, or allow through.
+ */
+import type { AxonFlowClient } from "./axonflow-client.js";
+import type { AxonFlowPluginConfig } from "./config.js";
+/** Result type matching OpenClaw's PluginHookBeforeToolCallResult. */
+export interface BeforeToolCallResult {
+    params?: Record<string, unknown>;
+    block?: boolean;
+    blockReason?: string;
+    requireApproval?: {
+        title: string;
+        description: string;
+        severity?: "info" | "warning" | "critical";
+        timeoutMs?: number;
+        timeoutBehavior?: "allow" | "deny";
+    };
+}
+/** Derive connector_type from tool name for AxonFlow policy evaluation. */
+export declare function deriveConnectorType(toolName: string): string;
+/**
+ * Create the before_tool_call hook handler.
+ *
+ * Decision logic:
+ * 1. If tool is excluded from governance: allow through (no check)
+ * 2. Call mcp_check_input with tool args serialized as JSON
+ * 3. If blocked by policy: return { block: true, blockReason }
+ * 4. If tool is in highRiskTools AND allowed: return { requireApproval }
+ * 5. Otherwise: allow through
+ */
+export declare function createBeforeToolCallHandler(client: AxonFlowClient, config: AxonFlowPluginConfig): (event: {
+    toolName: string;
+    params: Record<string, unknown>;
+    runId?: string;
+    toolCallId?: string;
+}) => Promise<BeforeToolCallResult | undefined>;
+//# sourceMappingURL=governance.d.ts.map

package/dist/governance.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"governance.d.ts","sourceRoot":"","sources":["../src/governance.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AAC3D,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,aAAa,CAAC;AAGxD,sEAAsE;AACtE,MAAM,WAAW,oBAAoB;IACnC,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACjC,KAAK,CAAC,EAAE,OAAO,CAAC;IAChB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,eAAe,CAAC,EAAE;QAChB,KAAK,EAAE,MAAM,CAAC;QACd,WAAW,EAAE,MAAM,CAAC;QACpB,QAAQ,CAAC,EAAE,MAAM,GAAG,SAAS,GAAG,UAAU,CAAC;QAC3C,SAAS,CAAC,EAAE,MAAM,CAAC;QACnB,eAAe,CAAC,EAAE,OAAO,GAAG,MAAM,CAAC;KACpC,CAAC;CACH;AAED,2EAA2E;AAC3E,wBAAgB,mBAAmB,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,CAE5D;AAED;;;;;;;;;GASG;AACH,wBAAgB,2BAA2B,CACzC,MAAM,EAAE,cAAc,EACtB,MAAM,EAAE,oBAAoB,IAEd,OAAO;IACnB,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAChC,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB,KAAG,OAAO,CAAC,oBAAoB,GAAG,SAAS,CAAC,CAkD9C"}